WP Maps Pro Flaw Lets Hackers Create Admin Accounts

Robert Moore · 2026-06-01

If you run a WordPress site and use WP Maps Pro, you need to pay attention right now. Hackers are actively exploiting a critical security flaw in this popular plugin to create malicious admin accounts on vulnerable sites. It's not a theoretical risk—it's happening now, and the damage can be severe. WP Maps Pro is a premium plugin that lets you embed customizable Google Maps and OpenStreetMap with markers, listings, and advanced location features. It has over 15,000 sales on Envato Market, which means a lot of site owners rely on it. But that popularity also makes it a juicy target for attackers. ### What's the Vulnerability? The flaw allows unauthenticated users to create administrator accounts on your WordPress site. That means anyone with an internet connection—including cybercriminals—can bypass login screens and gain full control. Once they have admin access, they can install malware, steal data, or redirect your traffic to phishing pages. Security researchers first spotted active exploitation attempts in late 2024. Since then, the number of attacks has only grown. If you haven't updated your plugin yet, your site is at risk. ### Why Should You Care? Think of your website as your digital storefront. If a hacker takes over, they can lock you out, deface your pages, or use your site to attack visitors. For businesses, this can mean lost revenue, damaged reputation, and even legal trouble if customer data gets compromised. - **Loss of control:** Hackers can delete or modify content. - **Data theft:** Customer information, payment details, or login credentials can be stolen. - **SEO damage:** Google may blacklist your site if it's used for spam or malware. ### How to Protect Yourself First, check if you're using WP Maps Pro. If you are, update to the latest version immediately. The plugin developer has released a patch that fixes the vulnerability. Don't delay—every day you wait increases the chance of an attack. Second, enable automatic updates for all your plugins. This ensures you get security patches as soon as they're available. You can do this in your WordPress dashboard under Plugins > Installed Plugins. Look for the auto-update toggle. Third, consider using a security plugin like Wordfence or Sucuri. These tools can block malicious login attempts and alert you to suspicious activity. They're not a cure-all, but they add an extra layer of protection. ### What If You're Already Compromised? If you notice unfamiliar admin accounts on your site, act fast. Log in and remove any users you don't recognize. Change all passwords, including those for your hosting account, FTP, and database. Then, run a security scan to check for malware. If you're not comfortable doing this yourself, hire a professional. A WordPress security expert can clean up your site and harden it against future attacks. It's a small investment compared to the cost of a full breach. ### The Bigger Picture This isn't just about one plugin. It's a reminder that every piece of software on your site is a potential entry point for attackers. Keep everything updated—themes, plugins, and WordPress core. Use strong passwords and two-factor authentication. And always have a backup plan. Your website is your online identity. Protect it like you would your home. Lock the doors, check the windows, and don't let anyone in without a key.